From 2a9d5f5e5142195e5a8c2a4e9bc3b17913706e2b Mon Sep 17 00:00:00 2001
From: Josh Hawkins <32435876+hawkeye217@users.noreply.github.com>
Date: Tue, 9 Sep 2025 17:44:01 -0500
Subject: [PATCH] protect export endpoints

---
 frigate/api/export.py | 30 +++++++++++++++++++++++++-----
 1 file changed, 25 insertions(+), 5 deletions(-)

diff --git a/frigate/api/export.py b/frigate/api/export.py
index 160434c68..4b564bbf9 100644
--- a/frigate/api/export.py
+++ b/frigate/api/export.py
@@ -4,6 +4,7 @@ import logging
 import random
 import string
 from pathlib import Path
+from typing import List
 
 import psutil
 from fastapi import APIRouter, Depends, Request
@@ -11,7 +12,11 @@ from fastapi.responses import JSONResponse
 from peewee import DoesNotExist
 from playhouse.shortcuts import model_to_dict
 
-from frigate.api.auth import require_role
+from frigate.api.auth import (
+    get_allowed_cameras_for_filter,
+    require_camera_access,
+    require_role,
+)
 from frigate.api.defs.request.export_recordings_body import ExportRecordingsBody
 from frigate.api.defs.request.export_rename_body import ExportRenameBody
 from frigate.api.defs.tags import Tags
@@ -30,12 +35,23 @@ router = APIRouter(tags=[Tags.export])
 
 
 @router.get("/exports")
-def get_exports():
-    exports = Export.select().order_by(Export.date.desc()).dicts().iterator()
+def get_exports(
+    allowed_cameras: List[str] = Depends(get_allowed_cameras_for_filter),
+):
+    exports = (
+        Export.select()
+        .where(Export.camera << allowed_cameras)
+        .order_by(Export.date.desc())
+        .dicts()
+        .iterator()
+    )
     return JSONResponse(content=[e for e in exports])
 
 
-@router.post("/export/{camera_name}/start/{start_time}/end/{end_time}")
+@router.post(
+    "/export/{camera_name}/start/{start_time}/end/{end_time}",
+    dependencies=[Depends(require_camera_access)],
+)
 def export_recording(
     request: Request,
     camera_name: str,
@@ -137,6 +153,7 @@ def export_recording(
 def export_rename(event_id: str, body: ExportRenameBody):
     try:
         export: Export = Export.get(Export.id == event_id)
+        require_camera_access(export.camera)
     except DoesNotExist:
         return JSONResponse(
             content=(
@@ -165,6 +182,7 @@ def export_rename(event_id: str, body: ExportRenameBody):
 def export_delete(event_id: str):
     try:
         export: Export = Export.get(Export.id == event_id)
+        require_camera_access(export.camera)
     except DoesNotExist:
         return JSONResponse(
             content=(
@@ -217,7 +235,9 @@ def export_delete(event_id: str):
 @router.get("/exports/{export_id}")
 def get_export(export_id: str):
     try:
-        return JSONResponse(content=model_to_dict(Export.get(Export.id == export_id)))
+        export = Export.get(Export.id == export_id)
+        require_camera_access(export.camera)
+        return JSONResponse(content=model_to_dict(export))
     except DoesNotExist:
         return JSONResponse(
             content={"success": False, "message": "Export not found"},